Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NULL pointer dereference in 3MF XML parser (slic3r:volume tag without ts/te/modifier attribute) #5120

Open
eldstal opened this issue Dec 26, 2021 · 2 comments

Comments

@eldstal
Copy link

eldstal commented Dec 26, 2021

Summary

A crafted 3MF XML document can cause a crash due to a NULL pointer dereference during parsing.

Vulnerable versions

Step to reproduce

  1. Create the proof-of-concept OBJ file (3dmodel.3dmodel):
<model>
  <resources>
    <object id="1">
      <mesh>
        <vertices>
          <slic3r:volume />
        </vertices>
      </mesh>
    </object>
  </resources>
</model>
  1. Pack the file into a zip archive together with the prerequisite other files from a 3mf file:
3D/3dmodel.3dmodel
rels/.rels
[Content_Types].xml
  1. Rename the zip archive to nullptr_3mf_volume.3mf
  2. Execute slic3r --info nullptr_3mf_volume.3mf
  3. Observe segmentation fault.

Example file

nullptr_3mf_volume.zip

Cause

get_attribute() in TMF.cpp returns NULL if the sought attribute is missing. The constructor of std::string is invoked implicitly, leading to a crash (std::string(NULL)). The check at TMF.cpp:602 is ineffective, since it occurs after the NULL pointer is dereferenced.

Impact

Denial of Service.

Proposed mitigation

Perform a NULL check on the return values from get_attribute before constructing strings from them. Ensure that the NULL check terminates parsing, as proposed in #5118 and #5119.

@eldstal
Copy link
Author

eldstal commented Jan 25, 2022

This vulnerability has been assigned CVE-2021-45847.

@supermerill
Copy link
Collaborator

not present in merill-merge branch

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants